shawn@home:~/blog >_

How to Not Get Pwned at DEF CON

10 Aug 2023

Now when I say DEF CON, I’m referring to the hacking convention held annually in Las Vegas, not the defense alert system used by the U.S. military. DEF CON is one of the most fun events I’ve ever been to, but it’s also easily the most dangerous. The bulk of people at DEF CON are makers and breakers, hackers with passionate curiosity who combine their technical expertise with their creative ability to achieve otherwise-impossible ends, but there are a small group of other types who congregate at our mecca: the crackers, feds, and of course, script kiddies.

The convention is starting today and if you’re reading this, I’m within the crowd, having published this post earlier thanks to the magic of scheduling. Of course I’m a maker and breaker, but like many other hackers, I have the same skillsets that the crackers, feds, and skids have. This is great, because I know exactly all the types of attacks that could be carried out against me and more importantly, how to protect against those types of attacks.

Step One: Understand Your Threat Model

I can accurately be described as living in a healthy state of cyber-paranoia. Depending on who you are, you should either be more or less paranoid than me. An important point to understand is that unless you’re some super important politician, journalist, FBI’s most wanted, etc. then nobody’s gonna bother wasting a 0day on you. The fact of the matter is that the majority of us – to our luck – aren’t important enough to be targets.

Understand your threat model. Who is most likely to attack you? If you’re a robber, watch out for the cops. If you’re a cop, watch out for the robbers. For the rest of us, we have only a few real threat actors:

• the script kiddie;
• the packet sniffers who will put you on the Wall of Sheep;
• viruses making their rounds;
• attacks not targeted to you, but whose splash damage you’ve fallen into;
• and others.

Now, understand what types of attacks you’re most likely to face:

• Script kiddies
  • Network attacks
  • GSM attacks
  • Cobalt Strike going brrrr
• Packet sniffers
  • Packet sniffing (network attacks)
• Viruses
  • Network attacks
  • Infection
  • Backdoors
  • Zombification
• Collateral damage
  • Network attacks
  • GSM attacks

I think you’re starting to see a pattern here. These attacks are wireless and happen over radio waves. You’re unlikely to get BadUSB drive-by’ed, and more likely to fall susceptible to a network-originating attack.

Step Two: Be Wary of Networks, the Hacker’s Arena

Computer networks are a complex topic and an entire subject of study all on its own. I’m utterly drawn to networking and perhaps that’s why I began to specialize in network hacking when I was first starting out, and while I’m less interested in all the inner workings of IT networking architecture, infrastructure, configuration, and maintenance, I’m fascinated by one true rule: networks are the hacker’s arena.

There’s never been a network I couldn’t hack, but there have been plenty of hosts within the network who were properly secured against me. There are plenty of things a network hacker could do:

• Scanning and enumeration
  • If any outdated services are running on your host with an open port, then that opens the door for us to perform…
• Exploitation
  • Known CVEs with PoCs are keystrokes away.
  • Known CVEs without PoCs are a script away.
  • Undiscovered vulnerabilities are a 0day away.
    • Remember, you’re unlikely to be important enough for someone to waste their 0day on you.
• Sniffing
  • Data you send over a network can be sniffed over the air or wire.
• Social engineering
  • DNS spoofing and site cloning
  • Browser-based attacks
• Every other form of a MitM attack

Even if you’re connected to a supposedly secure network, make sure it’s not an evil twin! Beware that even if you’re properly secured against common exploits and have educated yourself against social engineering attacks, threat actors could still discover information about you through data leaked in side channels.

Step Three: Tunnel

All those VPN sponsorships on the Internet that claim a VPN will protect you against every attack imaginable (network or not) are plain-and-simple snake oil marketing. However, encrypting your traffic and routing it through a tunnel such as a VPN will actually effectively fortify you against a large number of network-based attacks.

Remember that when you use a VPN, you’re simply outsourcing the job of protecting your data from the network to a VPN provider. The network has no obligation to secure your data, while VPN providers make business off of their integrity and reputation – but beware, they are often black boxes to us and have to comply with law enforcement on top of watching their own security.

As much as this is starting to sound like a VPN sponsorship, it isn’t. I won’t make any recommendations; do your own research. A tunnel of any kind will protect you against some attacks from the hackers at DEF CON, but what happens to your data when it reaches the other end of the tunnel is another story – better hope it’s trustworthy!

When you use a VPN, make sure that your DNS traffic is encrypted as well. Run a network capture while using a VPN and visit a website. If your DNS traffic isn’t encrypted, check your VPN configuration settings. DNS traffic is a very common side channel attack vector.

As a general rule of thumb, wireless is the enemy. Be cautious when you’re on wireless. Tunnel everything.

Step Four: Burners

When you do get pwned, your data is now in someone else’s hands. That’s why it’s so important to bring burner devices. Throw Linux on an old laptop you don’t use. Bring a burner phone and avoid calling from your usual phone; GSM hacking is easier than you think – in fact, just put your usual phone in airplane mode while you’re at the con! Turn off Bluetooth on all your devices and don’t even use it.

Cameras and shoulder surfers are also an enemy. Create burner passwords for use at the con. If you need to use your normal passwords, use a password manger that’s encrypted with a burner PIN that can be revoked. If someone or something can see you type a password, now they have it.

Step Five: Cash

When I first began RFID/NFC hacking, it scared me how easy it was to read the full number of a credit/debit card with tap functionality without ever having to touch a target or even see the card. Get a wallet with RFID blocking to protect yourself against people like me. Use cash payments wherever possible. Magstripes are easy to skim and RFID/NFC payment card reading are – well, you’re just asking to get pwned at that point.

Conclusion

And with that, now you’re unpwnable to the vast majority of threat actors that are most likely to attack you! If someone dropped a 0day on you, or you somehow still got pwned any other way, perhaps you weren’t as unimportant as you’d originally thought. For the rest of us, these precautions fall within the “healthy paranoia” part of the spectrum – just enough to protect us, not enough to inconvenience us, and definitely enough to give us peace of mind.

Have an awesome DEF CON! Hydrate, have fun, socialize, and remember to break everything.

Happy hacking!